Jean-Marc Desperrier wrote:
Nelson B wrote:
Duane wrote:
Someone issued a server certificate from CAcert recently and they did so
using DSA instead of RSA, which they indicated works fine in MSIE,
Safari and subversion, but I also tried it in both mozilla and firefox
and both times got error -8152.
Does the mozilla family of browsers support DSA keys or only RSA?
https://svn.wanda.ch is the website...
When I attempt to connect to that server, it accepts the connection,
but never sends back a single byte. The browser sends it a client
hello, and there is no response.
It seems this was only temporary and the site is up now, connection is
possible with IE, and there's the -8152 error with mozilla.
Thanks. I tested it again.
NSS rejected the DSA public key in the cert because the length of its
prime P is outside the range defined for DSA in FIPS 186-2. AFAIK, the
DSA is defined in FIPS 186-2, which states that the prime P must have
length L (bits) where 512 <= L <= 1024 and L is a multiple of 64.
The value of P in the cert is 2048 bits. Since that is not one of the
values for which the DSA is defined, NSS rejects the key.
The wrong error code is being given, and NSS should be changed to
give the right error code, which should be SEC_ERROR_BAD_KEY, -8178,
"Peer's public key is invalid.".
--
Nelson B
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
